Case-Example

Case 3. Yet Another Linux Investigation

1. Running netstat, see the weird python script with established connection to some remote host:

2. Grab the executable: lsof -p 2082 and ps aux grep 2082.

3. Let’s see the /tmp/ folder for backdoor executable
4. Check /proc/2082 and ls

5. Since the executable is a legitimate python, need to explore further. In /proc/2082 run sudo cat cmdline shows the comand used to launch, cat task/2082/children shows children PID. sudo cat status shows general information. cat environ shows … . cat arp shows MAC addresses of the machines connected:

Case 4. Compromised Apache Server

Compromised Apache Web server with drupal application used for local team. There was some unusual activity noticed between 05/10 and 08/10/19.

You need to preserve edidence and some commands override artifacts (like find). Disable access times

• sudo mount -o remount,noatime /dev/... or:
• mkdir /mnt/extdrv/rootvol
• rootvol=/mnt/extdrv/rootvol
• sudo mount --bind / $rootvol
• sudo mount -o remount,ro $rootvol

User activity: /etc/passwd. sudo debugfs -R 'stat <1835260>' /dev/....

checking groups. tail -n 4 /etc/group, grep -E 'mail' | php' /etc/group

Case 5. Kali Linux Data Exfiltration

IP theft and Kali Linux is a suspect. Has the user exfiltrated pictures or documents?

Can look for info in xdg directories:

• ~/.cache ($XDG_CACHE_HOME)
• ~/.local/share ($XDG_DATA_HOME)
• ~/.config ($XDG_CONFIG_HOME)

Can look for info in non-xdg dirs:

• ~/.<application_name>
• ~ (user home dir)

cat .bash_history and defaults in ./bashrc. For Kali ~/.msf4/history (doesn’t log commands for the remote shell), ~/.nc_history (created if rlwrap was used to run nc. Also ~/.viminfo: cmd history, string search history, input-line history, contents of non-empty regs, marks for several files, file marks pointing to locs in files, last search/sub pattern for ’n’ or ‘&’, buffer list, global vars. ~/.cache/sessions - by xfce-session and only if sessions are saved: list of open progs that were saved from last session (when the user last logged out) for recent Kalis. Xfce-session-[hostname]:0 and .bak - prev version of it. Client - prog or windows that needs to be opened. At the end of the file the amount of progs that are to be run and last time this session was last saved (not opened by user ). XFWM - xfce window manager.